2

I have a x86_64 ELF binary which is statically compiled. With some digging, I have found the C library is musl. In IDA Pro 7.0, the decompiled pseudo code shows sycalls as inline assembly code. But in latest IDA Pro 7.3.x it is shown as an incomplete function. Take fork() as an example:

  • In assembly:
mov eax, 57
syscall
  • In IDA Pro 7.0:
__asm { syscall; LINUX - sys_fork }
  • In IDA Pro 7.3.x:
sys_fork()

So, there is some improvement :)

I want IDA to automatically resolve the function parameters and return values. In Windows world, I did something similar by creating type libraries. Is there any way to import the whole C library (musl or glibc) in IDA without manually editing every libc functions?

Improve this question

2 Answers 2

Reset to default
2

Inline syscalls are rarely used on their own even in minimal libraries like musl. Usually there are wrapper functions around the syscall which is what actually ends up in the binary. So what you can do is use the FLAIR toolkit to generate a FLIRT signature from the musl’s static library and then apply the signature to your binary. This way you should get all the wrapper functions recognized which, coupled with one of the standard type libraries, should give you names and arguments for the C library functions.

Improve this answer
4
  • Compiled musl from git repo. Ran ./pelf libc.a. Got this error (__init_tls.lo): Unknown relocation type 42 (offset in section=0x41). Though it generated libc.pat file, ./sigmake libc.pat libc.sig shows this error ./lib/libc.pat (1): FATAL: can't find eof marker (---).
    – Biswapriyo
    Commented Sep 29, 2019 at 17:09
  • IIRC you can handle unsupported relocations with -r switch
    – Igor Skochinsky
    Commented Sep 29, 2019 at 17:32
  • It’s a switch for pelf, not sigmake
    – Igor Skochinsky
    Commented Sep 29, 2019 at 22:32
  • I have to find the compiler. Now flirt works, IDA can shows 90% of the syscall/libc function names.
    – Biswapriyo
    Commented Nov 19, 2019 at 15:00
3
+100

Here are the required steps using Igor Skochinsky's answer:

  • Clone musl git repository:
git clone --depth=1 git://git.musl-libc.org/musl
  • Compile the code:
cd musl; ./configure; make -s -j2
  • Extract Flair tool from IDA SDK. Run pelf (ELF parser) with the musl static library which is compiled in above step:
cd ./lib
~/flair/bin/linux/pelf libc.a

The output will be something like below:

Fatal [/mnt/c/MyFiles/libc.a] (__init_tls.lo): Unknown relocation type 42 (offset in section=0x3a).
  • To fix the unsupported relocation error, run pelf with -r option:
./flair/bin/linux/pelf -r42:58:0 libc.a musl.pat

The -r option is specified as -rN:O:L where N is relocation type, mark as variable L bytes at offset O from the relocation address. This creates a PAT file.

  • Now run sigmake to create the Flair signature file:
./flair/bin/linux/sigmake -n musl musl.pat musl.sig

If the output does not show any warning then the SIG file is OK. But if there any collisions with the function signature the output will be something like below:

libc.sig: modules/leaves: 1550/1775, COLLISIONS: 41

To mitigate the error, remove comments from musl.exc collision file. Then run the above sigmake command again. There will be a musl.sig file which can be imported in IDA Pro from File > Load File > FLIRT signature file.

FLIRT signature depends on the C/C++ compiler. For my case it is clang. I found it in the exception handling function. There will be a static string like CLNGC++\0. The string can not be found in IDA's String Window. So, one has to find the exception handling function first. The trick is that the function is called whenever a error value returns.

Improve this answer
1
  • Much appreciated!
    – 0xC0000022L
    Commented Sep 15, 2020 at 19:52

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.